Aon Cyber Risk and Directors & Officers Forum CRM011

Transcription

1 Aon Cyber Risk and Directors & Officers Forum CRM011 Speakers: Leslie Lamb, Director, Global Risk & Resiliency Management, Cisco Systems Timothy Fletcher, Senior Vice President and Team Leader, Aon Risk Solutions Kieran Hughes, Vice President, Financial Lines Claims, AIG

2 Discussion Topics Recent Data Breach Incidents Resulting in D&O Claims Anatomy / Sources of Cyber Claims D&O Coverage Discussion D&O Insurer Concerns / Topics

3 Breach Incidents / D&O Claims Date Made Public September 2, 2014 December 13, 2013 July 25, 2012 Incident Home Depot Home Depot reported a massive breach of credit card information stemming back to an intrusion first reported in April of Details are still being provided by Home Depot. Target Corp. Attackers leveraged access to a third party network of Target s, where they were able to penetrate and move about undetected on Target's network and upload malware programs on the company's Point of Sale (POS) systems. The total number of affected individuals totaled up to 110M. Wyndham Worldwide Intruders gained unauthorized access to Wyndham s computer network on three occasions, on each occasion accessing sensitive personal information stored in Wyndham s hotel property management system. The FTC alleges that the data breaches resulted in the compromise of more that 619,000 consumer payment card account numbers, many of which were subsequently exported to a domain registered in Russia.

4 Sources of Claims After a Cyber Incident Customers Shareholders Regulatory Agencies Other Third Parties (e.g., Financial Institutions)

5 Anatomy of a Claim Security and/or Privacy Incident Stock drop Derivative/ Shareholder Class Action D&O Policy Regulatory Compliance: Mandatory Breach Notification? Regulatory Investigation: Individual Ds & Os receive subpoenas Civil Lawsuit Breach Response Expenses Network & Security Privacy Claim D&O Claim Network Security & Privacy Policy Coverage Overlap

6 D&O Claim Analysis Arising Out of a Cyber Incident Allegations include breach of fiduciary duty, waste of corporate assets, conspiracy and aiding and abetting. Named defendants include CEO CIO Lead independent director Other Directors Shareholders have also alleged that directors and officers violated federal securities laws by failing to disclose material adverse facts about data breaches, which resulted in substantial shareholder losses following stock declines Certain security breaches require mandatory SEC disclosure requirements from businesses when a number of events occur

7 Derivative Claim Analysis Arising Out of a Cyber Incident Derivative Action is a lawsuit brought by a corporate shareholder against the directors, officers and management of the corporation, for a failure by management. Procedure: A demand is initially filed by a shareholder requesting the Board to bring a civil proceeding in a court of law against a Director or Officer. Special Litigation Committees are typically formed and charged with investigating the merits of the shareholder s allegations and determining whether or not litigation is in the corporation s best interest. If a plaintiff shareholder can prove a demand upon the Board would be futile, then the shareholder can bring a derivative action directly against the Board on behalf of the company. Derivative settlement amounts are typically non-indemnifiable, subject to individual state laws on indemnification.

8 How Can a D&O Insurance Program Respond? Coverage for Individual Directors & Officers Derivative Actions, Shareholder Class Actions Regulatory Investigations - Individual Subpoenas Claims by Other Third Parties Coverage for Company Publicly Traded vs. Non-Public Securities claims only for publicly traded Beware of Anti-trust, Unfair Trade Practice and FTC exclusions Professional Services Exclusion? Mobile Iron IPO claim example

9 D&O Public Company Policy Considerations Definition of Loss typically excludes fines and penalties Bodily injury / Property damage exclusion Best practices: ensure no privacy exclusion and carveback for securities claims Professional Services exclusion Not standard, but best practices would be to obtain exception for: Securities claims including derivative claims Non-indemnifiable claims Side A DIC policy may provide broader coverage for individuals Some coverage may be available for fines and penalties No BI/PD Exclusion No E&O / Professional Services Exclusion

10 D&O Underwriting Considerations Insurers are increasingly asking cybersecurity and cyber breach questions as part of the D&O insurance underwriting process: May inquire on specific risk factor disclosure; May inquire if determination was reviewed by outside counsel; May inquire about controls around cyber security and how much attention and investment this matter receives within the company; May inquire about incident response and crisis management program May inquire details on cyber insurance program Insurers are also starting to evaluate aggregation of limits between D&O and Cyber policies